Cloud Strategy Development

Ensure business success by linking your cloud strategy to your overall business strategy. We'll support you in assessing you cloud readiness, defining the ideal cloud application portfolio, and planning on how to achieve your goals as efficiently and effectively as possible.

 
Design

Making the right decisions when designing your cloud infrastructure is crucial in ensuring the success and financial viability of your cloud. We'll help you choosing the right cloud type, selecting the appropriate vendor / provider, designing your infrastructure and services as well as ensuring that you infrastructure and data is secure.

 
Migrate

Migrating business-critical data and applications into the cloud poses a number of challenges. We'll support you in planning your migration process, from preliminary testing to final go live, and if required also provide hands-on technical support  during the actual migration.

 
Operations

Get the maximum benefits from your cloud migration by adopting best practices. We'll support and train your technical staff in setting up best practice procedures for monitoring and maintaining your cloud healthy. Additionally, we will be able to assist you in increasing the efficiency of your IT operations by assisting in the automation of routine administrative tasks.

Takaisin

PayPal two-factor authentication vulnerability revealed

Duo Security this week unveiled a massive security vulnerability in PayPal's two-factor authentication system which would have allowed attacked to bypass the security system and gain access to user's accounts where they would have been able to make unauthorized payments.

The vulnerability is has to have been in the authentication flow for the PayPal API web service which is used by PayPal's official mobile application, as well as third-party merchants and apps.  Duo Security waited until PayPal fixed the issue before publicly unveiling this vulnerability, a post from the security firm said the following:

"As of the date of this post (June 25), PayPal has put a workaround in place to limit the impact of the vulnerability, and is actively working on a permanent fix,"

"In light of the vulnerability reporting timeline and the trivial discoverability of the vulnerability, we have elected to publicly disclose this issue, so that users can be informed to the risks to their PayPal accounts."

It was discovered that even though PayPal's mobile apps do not support 2FA (two-factor authentication) enabled accounts, it was possible to "trick" PayPal's mobile applications into ignoring a 2FA flag on an account, in turn allowing an attacker to log in without requiring secondary authentication — which is usually sent either to a user's mobile phone or a credit-card sized security code device.  This was all possible by interfacing directly with the PayPal API.  

Duo Labs' proof-of-concept was built on a Python script which was able to communicate with two separate PayPal API services, one to authenticate and the other to transfer money to another account.  PayPal have implemented a workaround on June 23rd, with a permanent fix being targeted for July 28th.

PayPal's senior director of global initiatives, Anuj Naya, said that "Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way.  He also went on to say that:

"If you have chosen to add 2FA to your PayPal account, your account also remains secure and 2FA will continue to operate as usual on the vast majority of PayPal product experiences. Even though 2FA is an additional layer of authentication, PayPal does not depend on 2FA to keep accounts secure."

Last month, PayPal's parent company, eBay, was in the spotlight after a massive privacy breach after an attack on May 21 which compromised a database holding non-financial data.  Click here for more info on eBay's privacy breach.